Insecure Defaults Affecting github.com/go-vela/server/api package, versions <0.16.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMGOVELASERVERAPI-3112101
- published10 Nov 2022
- disclosed9 Nov 2022
- creditUnknown
Introduced: 9 Nov 2022
CVE-2022-39395 (opens in a new tab)How to fix?
Upgrade github.com/go-vela/server/api to version 0.16.0 or higher.
Overview
github.com/go-vela/server/api is a Package api provides the handlers for the Vela API.
Affected versions of this package are vulnerable to Insecure Defaults which allows exploitation and container breakouts.
The following default configurations are impacted:
Default Privileged Images
When the target/vela-docker plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins and even if the vela.yml configuration file does not use the privileged = True flag.
Exploiting this vulnerability allows a malicious user to easily break out of the container and access the worker host operating system.
Default Allowed Repositories
When it allows anyone with a GitHub account (or other enabled source control management solution) to enable a repository within Vela and run builds, this means that if a Vela instance is accessible to the public, a third party could add their own malicious repositories to the Vela instance and run arbitrary code.
Default Enabled Events allow Pull Requests
The default configurations allow anyone who can issue a pull request against a repository to trigger a Vela job.
Workarounds
Default Privileged Images
Instead of upgrading, the Vela administrators can adjust the worker's VELA_RUNTIME_PRIVILEGED_IMAGES setting to be explicitly empty:
VELA_RUNTIME_PRIVILEGED_IMAGES=""
By assigning VELA_RUNTIME_PRIVILEGED_IMAGES to an empty value, it disallows any images from running as privileged containers in Vela.
Default Allowed Repositories
The Vela administrators can leverage the VELA_REPO_ALLOWLIST setting on the server component to restrict access to a list of repositories that can be enabled.
By changing it from the default empty list (currently interpreted by Vela as "all repositories") to a list explicitly allowing specific repositories, Vela administrators can control what repositories are allowed to be enabled in Vela.
Default Enabled Events allow Pull Requests
Audit enabled repositories and disable pull_requests if they are not needed.